Ask HN: What gives Cloudflare the right to takedown apps revealing site real IP?

35 points5ESS3y ago58 comments

I stumbled across an interesting app called “CrimeFlare” and what it does is reveal the real IP website’s using Cloudflare’s Ddos Mitigation Service.

CloudFlare had it taken down. https://github.com/zidansec/CrimeFlare

I’m assuming it does this by scanning the public internet in it’s entirely, indexing the domains. (A household fiber connection can scan the entire IPv4 space in a mere matter of weeks)

This is obviously a huge threat to CloudFlare’s entire business model and it totally makes sense that they want to bury this.

I just fail to understand what grounds they have to take something like this down. Internet IPs are public knowledge and these websites are publicly accessible. Just because Cloudflare built a billion dollar buisness exploiting the fact that sites “real” IPs can be hidden through obscurity, doesn’t mean they should be able to censor/takedown apps that expose the flaw in their business plan!

Anyways, I intend to create a new internet-wide scanning system in order to revive the functionality of CrimeFlare just to prove a point that security through obscurity is no security and all, and that CloudFlare doesn’t have the right to take something like this down!

58 comments

jgrahamc3y ago

> CloudFlare had it taken down.

I'm not sure where the idea that we took this down came from, but I checked with legal and we didn't. Such tools, services, etc. have existed forever. Just one reason why we encourage people to protect their public IP (https://developers.cloudflare.com/fundamentals/get-started/s...) and have Cloudflare Tunnel (https://developers.cloudflare.com/cloudflare-one/connections...).

5ESSOP3y ago

Thanks for clarifying that it had to be Github. The post you replied to says Gitbub or Cloudflare take it down. Either way, this issue should be brought to customers attention more clearly. Most people probably don’t know that the entire internet can be scanned in a matter of hours or days which might uncover their site. I’m curious how many customers are paying for your anti-ddos service yet their sites are easily findable using such a tool effectively rendering the service useless. Do you scan the internet yourself and proactively warn customers when their real IP is findable in this way?

CodesInChaos3y ago

> Do you scan the internet yourself and proactively warn customers when their real IP is findable in this way?

There is no reason for them to scan the internet. They could simply probe the configured origin server from an IP outside the whitelisted cloudflare IP range, and display a warning if it's accessible.

5ESSOP3y ago

Say that, despite your linked recommendations for hiding the public IP, thousands of customers were under the impression that as long as no one leaked the IP, no one would be able to discover the site. They’re paying you a lot of money for security, yet that security can be completely undermined by a teen with a scanner tool. If there’s thousands of clients paying for anti-DDOS services yet their IP is easily findable, then it’s like…what are they even paying for? On a scale of thousands this probably adds up to a large sum of money…Money paid for pointless services rendered.

ebbp3y ago

As someone on the “buy side” of Cloudflare-like services, that’s not how it works. How could a third party like Cloudflare protect my unprotected IP address? A very basic part of using a CDN/DDOS protection product is not allowing raw traffic to your origin server.

RE “as long as no one leaked their IP” - the IPv4 space is quite small. It’s trivial to scan it and discuss unadvertised, but ultimately very public, servers.

If customers don’t already have an understanding of both of these points, then they need to increase their competence in areas that are, frankly, pretty basic.

1 more reply

kube-system3y ago

Security tools, when misused or misunderstood, may have security weaknesses.

My house has a lock on the front door. Yet that security can be completely undermined if a teen throws a brick at my window. That isn't the fault of the manufacturer of the lock on my front door.

CodesInChaos3y ago

> This is obviously a huge threat to CloudFlare’s entire business model

I disagree. There are plenty of ways to hide your origin server, for example:

1. IPv6 only, since there are too many addresses to scan

2. Accepting connections only from cloudflare IPs (probably not enough on its own, since features like workers might allow an attacker to trigger requests from a cloudflare server)

3. Mutual TLS authentication

4. Authentication headers (since mTLS might be difficult to integrate in your application)

5. Responding only if the right host is requested, which could even be different from the public domain (not enough on its own, but prevents untargeted scans)

6. Using tunnels (as frizlab pointed out)

I think cloudflare already supports all of these out of the box. They just need to push their customers to apply such mitigations via documentation, displaying warnings if the origin server can be accessed directly, etc. So I consider this an inconvenience for cloudflare, but not a huge threat.

frizlab3y ago

They have tunnels now. The source does not have to be open to the public at all anymore (the tunnel is a kind of VPN between the source and Cloudflare; all the source has to do is install a single binary)

fjfbsufhdvfy3y ago

Cloudflare can easily do 4 as well. Use Transform Rules to inject Authorization header or any other one you want.

Nathanba3y ago

Why on earth would you try to help DDOS'ers? I think you should really take a step back here and reevaluate what drives you here and what impact you have on other people.

CodesInChaos3y ago

Publishing such tools raises awareness of the weakness, and pushes vulnerable origin servers to fix it. Ideally cloudflare would show a warning in their UI when the origin server is publicly accessible.

peppermint_tea3y ago

There is a website currently publishing my (outdated) informations without my consent (old home address, current email, old phone number) and it is hiding behind cloudflare. I wrote to cloudflare months ago, and silence... So there can be many sides to that story here...

edit : oh and what the hell, name and shame https://www.reversecanada.com/ (and they have variants for other countries)

ushakov3y ago

aren’t there any legitimate use-cases for it?

jokethrowaway3y ago

Yes, for example, pirate websites are often hiding their identity and if someone is infringing on your copyright you can't go and report it to their hosts because Cloudflare hides the IP. Reporting DMCA to Cloudflare won't give you the IP of their hosts.

A court ruling exempted Cloudflare from its users infringements of copyright making things easy for them.

1 more reply

5ESSOP3y ago

Before CloudFlare sends the FBI to my house..I’m not actually going to code this. It’s just an idea that exposes a problem. The problem is there’s a lot of Cloudflare customers who don’t have their servers configured properly to defend from it. If my amateur self can conceptualize this idea it means cybercriminals already have similar tools and are using them already so If you’re a site operator you should use this post as a warning and fix your servers ahead of time. However, it was messed up they might try to take down the tool rather then help mitigate the flaw.

kube-system3y ago

Technically speaking, GitHub took the repo down. This is an important distinction, because voluntary takedowns and legally compelled takedowns are two entirely different things, and it’s not necessarily correct to assume the latter.

eli3y ago

> This is obviously a huge threat to CloudFlare’s entire business model and it totally makes sense that they want to bury this.

Protecting origin servers is hard. Nothing unique to CloudFlare about that. If you follow their set up documentation then this tool can't harm you: https://developers.cloudflare.com/fundamentals/get-started/t...

mmcgaha3y ago

If folks are really concerned about getting exposed they can firewall off everyone except cloudflare.

https://www.cloudflare.com/ips/

eli3y ago

Or better yet: use Cloudflare Tunnel to connect your origin to Cloudflare without exposing any inbound ports. I think you can also have Cloudflare present a client certificate that you can verify before responding.

jffry3y ago

Authenticated origin pulls are mutually exclusive with their tunnel. If you configure your firewall so that only the cloudflared tunnel process can access your origin server, then you can already be assured the request is coming from Cloudflare.

jasode3y ago

>, I intend to create a new internet-wide scanning system in order to revive the functionality of CrimeFlare just to prove a point that security through obscurity is no security and all,

I'm not familiar with CrimeFlare and its technical details but a cursory google search shows that security-through-obscurity is possible with Cloudflare if one follows the correct sequence of steps to hide the ip. Otherwise, a careless setup such as public MX mail record will inadvertently "leak" the ip. E.g. Stackoverflow Q&A: https://stackoverflow.com/questions/58591448/how-does-crimef...

>, I intend to create a new internet-wide scanning system

But the host systems at the receiving end of your scanning tool still have to respond to your tool pinging them with network requests and if your ip origin isn't Cloudflare, the host server doesn't have to reply with useful information. Or did you have another mass scanning technique we're overlooking?

5ESSOP3y ago

What % of Cloudflare customers actually have their server set to only accept traffic from cloudflare IPs? Probably not the majority. If this is coming as a surprise to people then maybe Cloudflare isn’t doing enough to help people secure themselves against it.

zinekeller3y ago

As someone else (https://news.ycombinator.com/item?id=31096321) pointed out, everyone does that already, with Shodan (https://www.shodan.io/) being one of the most popular ones.

1 more reply

stairlane3y ago

Scanning the internet and indexing domains? Isn't that EXACTLY what binary edge and shodan do???

nickdothutton3y ago

If you are going to use someone else to front your service, take care to make sure that that (1) it cant even be accessed except via that front, and (2) that you dont leak your origin IP address or network, even if traffic to that origin is dropped from sources other than the service fronting it.

true_religion3y ago

How can you index domains by scanning the public internet? Wouldn’t trying to match domain names with IP addresses get you blocked by the server after too many failures? Or at least it would be too many attempts to make that it would take more than weeks?

cft3y ago

>by scanning the public internet in it’s entirely, indexing the domains

Can you explain this?

5ESSOP3y ago

So there’s only 4.2 billion possible IPv4 addresses where a site can live. A lot are reserved or unused, leaving about 3.7 billion possibilities. Household internet speeds are fast enough that it is within the realm of possibility that a computer could sequentially connect to every single IPv4 host on the entire internet in search for the target website. Specialty network cards with datacenter connections can scan the entire Ipv4 space in a matter of mere hours.

CodesInChaos3y ago

If the origin server only responds with the relevant content if the correct host is requested, this scan becomes much more expensive, since you need to scan all IPs for each domain you're interested in, instead of once total.

cft3y ago

But what makes you think that the real IP serves the same site to the public internet, as it proxies to CF? If I were using CF for DDoS mitigation, I would drop all traffic to my real IP other than traffic originating from CF.

2 more replies

formerkrogemp3y ago

The name might be infringement or the code might abuse their API. Or, GitHub could decide it's not worth it. Why would you try to scan every IP address?

5ESSOP3y ago

A valid use case for wanting to know the “real” IP of a site hiding behind CloudFlare is being able to access the website from a Tor IP address (which they categorically block). For users in a country with censored internet, such a service would be essential.

zinekeller3y ago

> which they categorically block

Everytime I check this statement with Cloudflare-enabled sites... it was either always accessible (a nagging screen might be shown momentarily, but that's it), or the block is usually due to that site being a bank or something else that will block Tor users regardless of their firewall solutions. I've just tested it again just in case something has changed, but that statement holds up every time.

Can you please give a non-banking site that a) uses Cloudflare and b) blocks Tor?

1 more reply

Comevius3y ago

Cloudflare doesn't automatically block Tor exit nodes, they just tend to earn a bad reputation. As a site owner you can decide what to do with that, the basic protection level issues CAPTCHA challenges.

Cloudflare also has it's own onion service, sites can opt in, and Cloudflare's public DNS is also available over it, sidestepping the need to go over exit nodes after the first request.

Liquid_Fire3y ago

If your website is behind CloudFlare, why even allow direct connections from anyone that's not CloudFlare?

1 more reply

spacemanmatt3y ago

https://github.com/zidansec/CrimeFlare-1

ushakov3y ago

that’s just the client though

it only makes request to https://api.xploit.my.id/v1/crimeflare.php and logs the output

zinekeller3y ago

Nope, that's literally it: https://web.archive.org/web/20210426093141/https://github.co...

crtasm3y ago

It appears zidansec runs xploit.my.id. The api subdomain is not currently responding.

https://www.xploit.my.id/2021/07/crimeflare-bypass-tools-clo...

ushakov3y ago

as far as i remember when the backend times out, CloudFlare shows a screen where you can see the actual IP of the server

jffry3y ago

I have seen the screen where Cloudflare cannot contact the origin and it absolutely does not include the IP address or other details about the origin.

You might be thinking of the "Ray ID" that Cloudflare displays on that page, which is just a random request ID that has nothing to do with the origin server.

dewey3y ago

That would defeat the whole purpose of using Cloudflare as an anti-ddos measure so I doubt that.

Teletio3y ago

Do you even know under which rule it gotten taken down?

rubyist5eva3y ago

Just another reason to add to the pile of why I hate that company.

jokethrowaway3y ago

They probably reported it as malware and M$ team didn't check what it was

j / k navigate · click thread line to collapse

58 comments

jgrahamc3y ago

> CloudFlare had it taken down.

5ESSOP3y ago

CodesInChaos3y ago

> Do you scan the internet yourself and proactively warn customers when their real IP is findable in this way?

5ESSOP3y ago

ebbp3y ago

RE “as long as no one leaked their IP” - the IPv4 space is quite small. It’s trivial to scan it and discuss unadvertised, but ultimately very public, servers.

If customers don’t already have an understanding of both of these points, then they need to increase their competence in areas that are, frankly, pretty basic.

1 more reply

kube-system3y ago

Security tools, when misused or misunderstood, may have security weaknesses.

My house has a lock on the front door. Yet that security can be completely undermined if a teen throws a brick at my window. That isn't the fault of the manufacturer of the lock on my front door.

CodesInChaos3y ago

> This is obviously a huge threat to CloudFlare’s entire business model

I disagree. There are plenty of ways to hide your origin server, for example:

1. IPv6 only, since there are too many addresses to scan

2. Accepting connections only from cloudflare IPs (probably not enough on its own, since features like workers might allow an attacker to trigger requests from a cloudflare server)

3. Mutual TLS authentication

4. Authentication headers (since mTLS might be difficult to integrate in your application)

5. Responding only if the right host is requested, which could even be different from the public domain (not enough on its own, but prevents untargeted scans)

6. Using tunnels (as frizlab pointed out)

frizlab3y ago

fjfbsufhdvfy3y ago

Cloudflare can easily do 4 as well. Use Transform Rules to inject Authorization header or any other one you want.

Nathanba3y ago

Why on earth would you try to help DDOS'ers? I think you should really take a step back here and reevaluate what drives you here and what impact you have on other people.

CodesInChaos3y ago

peppermint_tea3y ago

edit : oh and what the hell, name and shame https://www.reversecanada.com/ (and they have variants for other countries)

ushakov3y ago

aren’t there any legitimate use-cases for it?

jokethrowaway3y ago

A court ruling exempted Cloudflare from its users infringements of copyright making things easy for them.

1 more reply

5ESSOP3y ago

kube-system3y ago

eli3y ago

> This is obviously a huge threat to CloudFlare’s entire business model and it totally makes sense that they want to bury this.

mmcgaha3y ago

If folks are really concerned about getting exposed they can firewall off everyone except cloudflare.

https://www.cloudflare.com/ips/

eli3y ago

jffry3y ago

jasode3y ago

>, I intend to create a new internet-wide scanning system in order to revive the functionality of CrimeFlare just to prove a point that security through obscurity is no security and all,

>, I intend to create a new internet-wide scanning system

5ESSOP3y ago

zinekeller3y ago

As someone else (https://news.ycombinator.com/item?id=31096321) pointed out, everyone does that already, with Shodan (https://www.shodan.io/) being one of the most popular ones.

1 more reply

stairlane3y ago

Scanning the internet and indexing domains? Isn't that EXACTLY what binary edge and shodan do???

nickdothutton3y ago

true_religion3y ago

cft3y ago

>by scanning the public internet in it’s entirely, indexing the domains

Can you explain this?

5ESSOP3y ago

CodesInChaos3y ago

cft3y ago

2 more replies

formerkrogemp3y ago

The name might be infringement or the code might abuse their API. Or, GitHub could decide it's not worth it. Why would you try to scan every IP address?

5ESSOP3y ago

zinekeller3y ago

> which they categorically block

Can you please give a non-banking site that a) uses Cloudflare and b) blocks Tor?

1 more reply

Comevius3y ago

Cloudflare also has it's own onion service, sites can opt in, and Cloudflare's public DNS is also available over it, sidestepping the need to go over exit nodes after the first request.

Liquid_Fire3y ago

If your website is behind CloudFlare, why even allow direct connections from anyone that's not CloudFlare?

1 more reply

spacemanmatt3y ago

https://github.com/zidansec/CrimeFlare-1

ushakov3y ago

that’s just the client though

it only makes request to https://api.xploit.my.id/v1/crimeflare.php and logs the output

zinekeller3y ago

Nope, that's literally it: https://web.archive.org/web/20210426093141/https://github.co...

crtasm3y ago

It appears zidansec runs xploit.my.id. The api subdomain is not currently responding.

https://www.xploit.my.id/2021/07/crimeflare-bypass-tools-clo...

ushakov3y ago

as far as i remember when the backend times out, CloudFlare shows a screen where you can see the actual IP of the server

jffry3y ago

I have seen the screen where Cloudflare cannot contact the origin and it absolutely does not include the IP address or other details about the origin.

You might be thinking of the "Ray ID" that Cloudflare displays on that page, which is just a random request ID that has nothing to do with the origin server.

dewey3y ago

That would defeat the whole purpose of using Cloudflare as an anti-ddos measure so I doubt that.

Teletio3y ago

Do you even know under which rule it gotten taken down?

rubyist5eva3y ago

Just another reason to add to the pile of why I hate that company.

jokethrowaway3y ago

They probably reported it as malware and M$ team didn't check what it was

j / k navigate · click thread line to collapse